Over and over again applications must check user rights. Not only when developing the application, but also when administering it, this causes great efforts. Often those rights systems will be realized as bit-fields, which must be marked for every single user or for user groups in a more or less badly arranged screen menu. Usually the structure of the groups is not very flexible, groups consisting of other groups and/or users (even mixed) are very rarely possible.
While creating a concept for a large web-based information system with about 20,000 users which ought to have very individual access rights, the question came whether there are other possibilities to manage user rights.
Out of this situation, the idea was born, not to define user rights with fixed bit-fields, but with dynamical expressions. The equations are representing set operations. One may define unions, intersections and differences of sets. A user has a specific right if he is a member of the resulting set after the evaluation of the expression – possibly recursive over many levels. The application has the possibility to request a predefined expression by its name or an expression created dynamically by the application.
We have written a white paper showing the concept in detail.
The iiitAccessServers includes two variants of caches and datasources.
The base version uses a Java property file and a simple 1st-level cache as a data source. The property file can easily be edited with a simple text editor, but changes will not be recognized while the server is running. This base version is merely usable as a test and development system.
For productive usage, the iiitAccessServers can be extended by plug-ins with additional interfaces, data sources and caches. The iiitAccessServers includes an interface to LDAP and a persistent 2nd-level cache using a database. All group definition and predefined expressions are stored in an optimized format inside a MySQL database. A background thread called CacheManager will recognize all changes to the LDAP database and write them to the cache.
To achieve load balancing and high availability, the iiitAccessServers can be installed on any number of servers. Because it is implemented as a stand-alone server, it can be used by many different applications simultaneously. For Java applications there is a RMI interface, for other ones there is a TCP/IP interface with an easy to use protocoll has been implemented. Therefore the server can not only be used by other Java application but also by applications written in any programming language in a very easy way. Through its modular structure, additional interfaces can be added easily.
The 2nd-level cache can split its database-cache in up to 257 single databases. The load balacing mechanisms of the iiitAccessServers can also be used with this plug-in. Only the CacheManager may only run once at a time.
Remark: We work mostly with Linux and develop for Linux. Therefore most of our software is tested only with Linux and the installation guide etc. cover only Linux. Nevertheless our software should be usable with other operating systems too. If you find any mistakes while using it with another operating system, we will be glad to get your hints or corrections to integrate them as far as possible into the next release. In this case please contact firstname.lastname@example.org.
The iiitAccessServer consists of two part, the server application and a library to be bound to Java applications. To assure free distribution and to allow its use also in commercial environments, these parts are distributed with different conditions.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License (GPL) as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License (GPL) for more details.
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License (GPL) as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License (GPL) for more details.